Hexa's Blog

How to install GTX 1060 on Fedora with Secure Boot enabled?

15/12/2021 Linux

In this post, I would like to introduce solution to install VGA drivers for 1060 on Fedora with enabled SECURE BOOT.

Step 1: Determine vga installed on the motherboard.

On terminal, use the following command to see avaialble installed VGA.

lspci |grep -E "VGA|3D"

Example output:

02:00.0 VGA compatible controller: NVIDIA Corporation GP106 [GeForce GTX 1060 6GB] (rev a1)
04:00.0 VGA compatible controller: ASPEED Technology, Inc. ASPEED Graphics Family (rev 30)

Step 2: Download nvidia driver from Nvidia Official Website

[1] NVIDIA Driver Downloads
[1] NVIDIA Driver Downloads

In this post, I would like to pick the latest stable version 470.94 which was released on December 13, 2021. After your downloading finished, remember to make the file executable with chmod +x NVIDIA-Linux-x86_64-470.94.run, and copy it to $HOME/Software/VGA-1060-key, you will need to execute this file each time your update your kernels.

mkdir -p $HOME/Software/VGA-1060-key;
cd $HOME/Software/VGA-1060-key;
wget https://us.download.nvidia.com/XFree86/Linux-x86_64/470.94/NVIDIA-Linux-x86_64-470.94.run;
chmod +x NVIDIA-Linux-x86_64-470.94.run;

Step 3: Generate new pair private-key and public-key

mkdir -p $HOME/Software/VGA-1060-key/key;
cd $HOME/Software/VGA-1060-key/key;
openssl req -new -x509 -newkey rsa:2048 -keyout vga-1060.key -outform DER -out vga-1060.der -nodes -days 365000 -subj "/CN=Graphics Drivers";

Your directory tree should look like:

[2] Directory Tree
[2] Directory Tree

Step 4: Enroll new public key with mokutil

You need to run this command to import your new public key with mokutil, this program will ask you a password for enrolling, which then be asked in the next reboot.

sudo mokutil --import $HOME/Software/VGA-1060-key/key/vga-1060.der;

Step 5: Make install.sh in VGA-1060-key directory

This is install.sh content:

#!/bin/bash
./NVIDIA-Linux-x86_64-470.94.run --module-signing-secret-key=/home/YOUR_USERNAME/Software/VGA-1060-key/key/vga-1060.key \
                                 --module-signing-public-key=/home/YOUR_USERNAME/Software/VGA-1060-key/key/vga-1060.der

Each time you update your kernel, you need to go boots OS with level 3 and run this script install.sh.

[3] Directory Tree
[3] Directory Tree

Step 5: Install package dependencies & update OS

This step ensure you got the lastest kernel & all dependent packages.

sudo dnf install kernel-devel kernel-headers gcc make dkms acpid libglvnd-glx libglvnd-opengl libglvnd-devel pkgconfig;
sudo dnf update;

Step 6: Disable nouveau

  • Create or edit /etc/modprobe.d/blacklist-nouveau.conf
sudo echo "blacklist nouveau" >> /etc/modprobe.d/blacklist-nouveau.conf
  • Edit /etc/default/grub Append following flag to the end of GRUB_CMDLINE_LINUX
    • rd.driver.blacklist=nouveau
    • modprobe.blacklist=nouveau
    • nvidia-drm.modeset=1

For example:

[4] /etc/default/grub
[4] /etc/default/grub

Step 7: Update grub2 config & generate new initramfs

grub2-mkconfig -o /boot/grub2/grub.cfg;

## Backup old initramfs nouveau image ##
mv /boot/initramfs-$(uname -r).img /boot/initramfs-$(uname -r)-with-nouveau.img;

## Generate new initramfs image ##
dracut /boot/initramfs-$(uname -r).img $(uname -r);

Step 8: Boots OS on level 3 and execute the install.sh

Boots OS on level 3 and reboot

sudo systemctl set-default multi-user.target;
sudo systemctl -r now;

After login, go to VGA-1060-key directory and execute install.sh. At this step, just keep accepting and the driver will be installed.

cd /home/nguyenvinhlinh/Software/VGA-1060-key;
sudo ./install.sh;

After installing vga driver, you will need reboot OS on level 5 - graphical

systemctl set-default multi-user.target;
systemctl -r now;

Next time, if you update your kernel, you can run this step (Step 8) again, it should be fine. In addition, you should encrypt your private-key with gpg, it’s not a good practice leave it unencrypted. You can check this guide Mã hóa và giải mã file trên linux sử dụng GPG

Reference